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Abstract 

Step-indexed semantic models of types were pro- 
posed as an alternative to purely syntactic safety 
proofs using subject-reduction. Building upon the 
work by Appel and others, we introduce a gen- 
eralized step-indexed model for the call-by-name 
lambda calculus. We also show how to prove 
type safety of general recursion in our call-by-name 
model. 



1 Introduction 

Until recently, the most common way to prove type 
safety was by a purely syntactic proof technique 
called subject-reduction, which was adapted from 
combinatory logic by Wright and Felleisen [T^]. 
One shows that each step of computation preserves 
typability (preservation) and that typable states 
are safe (progress). 

This is not the only way though. Type safety can 
also be proved with respect to a semantic model. 
The semantic approach used in this paper avoids 
formalizing syntactic type expressions. Instead, 
one defines types as sets of semantic values. Us- 
ing a technique called step-indexing, one then re- 
lates terms to these semantic types, and proves 
that typability implies safety. Instead of formal- 
izing syntactic typing judgements, one formulates 
typing lemmata and proves their soundness with 
respect to the semantic model. 

Related work Appel et al. introduced step- 
indexed models in the context of foundational proof 



carrying code [5]. While they were primarily in- 
terested in low-level languages, they also applied 
their technique to a pure call-by-value A-calculus 
with recursive types [6]. Our work generalizes the 
framework by Appel et al. to call-by-name by gen- 
eralizing ground substitutions to terms instead of 
just values. 

Ahmed et al. successfully extended the step- 
indexed models introduced by Appel et al. to 
general references and impredicative polymorphism 
[21 [4]. Hritcu et al. further extended it to ob- 
ject types, subtyping and bounded quantified types 
[HI Hn] ■ They also indirectly considered the call- by- 
name A-calculus using its well-known encoding in 
the ij-calculus [T] , including an encoding of the fixed 
point combinator [8]. 

Outline In section [5] we present the syntax and 
small step semantics of the programming language. 
Section [3] introduces semantic types and typing 
lemmata for the simply typed A-calculus, which is 
extended with recursive types in section |4j while 
section O considers general recursion in the simply 
typed A-calculus. 



2 The language and its small- 
step semantics 

The language we consider in this paper is the pure 
A-calculus extended with constants, the simplest 
functional language that exhibits run-time errors 
(closed terms that "go wrong" ) . Its syntax is shown 
in Figure [T] We write a[x n- 6] for the (capture 
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Variables: x,y, z, . . . 
Constants: c ::= | 1 | . . . 
Terms: a,b ::= c | x | Xx.a \ ab 

Figure 1: Basic syntax 

avoiding) substitution of b for all unbound occur- 
rences of a; in a. A term u is a value if it is a 
constant c or a closed term of the form Xx. a. 

a ^ a' 

{Xx. a)b ^ a[x ^b\ ab ^ a' b 

Figure 2: Small-step semantics 

The operational semantics, as shown in small- 
step style in Figure [H is entirely conventional [TT] . 
We write oq -^^ if there exists a sequence of 
k steps such that oq ai —!>... ^ a^. We write 
a 6 if a — b for some fc > 0. We say that a is 
safe for k steps if for any sequence a — >■•' 6 of j < fc 
steps, either & is a value or there is some b' such 
that b ^ b' . Note that any term is safe for steps. 
A term a is called safe it is safe for every fc > 0. 

3 Semantic types 

In this section we construct the methods for prov- 
ing that a given term is safe in the call-by-name 
A-calculus, using a simplified type system without 
recursive types. The semantic approach taken here 
considers types as indexed sets of values rather than 
syntactic type expressions. 

Definition 1. A type is a set r of pairs (fc, v) where 
fc > and u is a value, and where the set r is such 
that, whenever (fc, f ) S r and < j < fc, then 
(j, v) G T. For any term a and type t we write a :k t 
if a is closed, and if, whenever a -^^ b for some 
irreducible term b and j < fc, then (fc — j, b) G t. 

Intuitively, a :k t means that the closed term a 
behaves like an element of t for fc steps of compu- 
tation. That is, fc computation steps do not suffice 
to prove that a does not terminate with a value 
of type r. Note that if a -.k t and < j < fc then 
a :j T. Also, for a value v and k > 0, the statements 
V '.k T and {k,v) € T are equivalent. 



Definition 2. A type environment is a mapping 
from variables to types. An environment (or 
ground substitution) is a mapping from variables 
to terms. For any type environment F and en- 
vironment 7 we write 7 :fc F if dom(7) = dom(r) 
and 'y{x) :k r(a;) for every x G dom(7). We write 
F 1= a :/j r if 7(a) :k t for every 7 :k F, where 7(a) 
is the result of replacing the unbound variables in 
a with their terms under 7. We write F ^ a : r if 
T \^ a :k T for every fc > 0. 

Note that F |= a : t can be viewed as a three 
place relation that holds on the type environment 
F, the term a, and the type r. Utilizing this typing 
relation we can express static typing rules, which 
operate on terms with unbound variables. But first 
we observe that the safety theorem, stating "typa- 
bility implies safety" , is a direct consequence of def- 
initions [1] and [2] now, whereas in a syntactic type 
theory it is at least tedious to prove. 

Tiieorem 3. //0 |= a : r, then a is safe. 

We can now construct semantic types and appro- 
priate typing lemmata to derive true judgements of 
the form T \= a : t. Figure [3] gives the types and 

± = 

T = {{k,v)\k>0} 
Nat = {(fc,c)|fc>0} 
t^t' = {{k,Xx.a) I Vj < fcV6. 

b :j T ^ a[x i—> b] -.j r'} 

Figure 3: Semantic types 

Figure S] gives the typing lemmata for the simply 
typed A-calculus. The remainder of this section is 
devoted to proving the soundness of these lemmata. 



F ^ a; : F(a;) F h c : Nat 

Y \=a:T^T' T ^b-.T 
T^ab-.r' 

F[a; H- > t] 1= a : t' 
F 1= Xx. a : T ^ t' 

Figure 4: Semantic typing lemmata 
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The lemma for variables, stating F |= a; : r(x), 
follows directly from the definition of |=. The fact 
that Nat is a type, and F |= c : Nat, both follow 
immediately from the definition of Nat. We now 
consider the lemmata for applications and lambda 
terms. First we have the following lemma which 
follows immediately from the definition of — 

Lemma 4. // r and r' are types then t ^ t' is 
also a type. 

Proof. By definition of it is obvious that t ^ t' 
is closed under decreasing index. □ 

Lemma 5. // ai :k t ^ r' and 02 '.k t, then 
(ai 02) -.k t'. 

Proof. Since oi :k t ^ t' and 02 :fc r we have that 
both ai and 02 are closed, and if ai generates an 
irreducible term in less than k steps, that term must 
be a lambda term. Hence, the application oi a2 
either reduces for k steps without any top-level /?- 
reduction, or there must be a lambda term Xx. b 
such that ai 02 — >^ {Xx. b) a2 for some j < k. 

In the first case, we know that ai 02 is closed, 
and does not generate an irreducible term in less 
than k steps, and hence ai 02 '-k t' . 

Otherwise we have 02 :k-(j+i) t by closure un- 
der decreasing index, and (fc — j, Xx. b) G r — >■ r' by 
Definition[TJ b[x ^ 02] '-k-ij+i) t' follows by defini- 
tion of — >. But now we have oi 02 b[x 1— >■ 02] 
and b[x t— >■ 02] :k-(j+i) smd we can conclude 
oi a2 -.k t'. □ 

Theorem 6 (Application). Let T be a type envi- 
ronment, let ai and 02 be (possibly open) terms, 
and let t and r' be types. If V \= a\ : t ^ t' and 
F 1= a2 : T, then V \= a\a2'. t' . 

Proof. By Lcmma[5]we have 7(01 02) '.k t' for every 
k>Q and 7, whenever 7 F, 7(01) :k t ^ t' and 
7(^2) '-k T. Hence, we conclude F |= ai 02 '-k t' (for 
every fc > 0). □ 

Theorem 7 (Abstraction). Let T be a type envi- 
ronment, let T and t' be types, and let T[x t-^> r] 
be the type environment that is identical to F ex- 
cept that it maps x to t. IfT[x t] \= a : t' , then 
F 1= Xx. a : T t' . 

Proof. Let fc > 0, 6 be a closed term with b -.k t, 
and 7 be an environment such that 7 F. Then 
j[x 1-^ b] -.k r[a; 1-^ r], and since {'y[x i-> b]){a) -.k t' 



and b is closed, we also have j{a[x ^ b]) :j t' and 
b -.j T for every j < k. Then (fc, 7(Aa;. a)) ^ t ^ t' , 
and since 7 (Ax. a) is obviously closed, we conclude 
F 1= Ax. a :k T ^ t' (for every fc > 0). □ 

4 Recursive types 

Recursive types were one of the main motivations 
behind the model of Appel et al. [B], and their re- 
sults apply here, therefore we do not go into much 
detail. Figure [5] shows the recursion type opera- 
tor ^, which computes a candidate fixed point of a 
function F from types to types by repeatedly apply- 
ing the function to _L, and the two typing lemmata 
for recursive types. 

fiF EE {{k,v) \ {k,v) e F''+^{±)} 

r\=a: F{^iF) T \== a : fiF 

r\=a: ^iF F h a : F{fiF) 

Figure 5: Recursive types 

We will show that the typing lemmata in Figure[5] 
hold in the case where F is well founded. This is 
achieved by proving fiF ~ F{jiF) for every well 
founded F, essentially proving that our recursive 
types are actually equi-recursive types, in contrast 
to iso-recursive types where fiF is only isomorphic 
to F{^F) via roll and unroll constructs on terms 

HQ. 

Definition 8. The k- approximation of an indexed 
set T is the subset 

Wfe = {(.?» I <kA{j,v) e r} 

of its elements whose index is less than fc. 

Obviously [rj^, is a type whenever r is a type. 
We now define a notion of well founded functional. 
Intuitively, a recursive definition of a type r is well 
founded if, in order to determine whether or not 
a :k T, it suffices to show b r for all terms b and 
indices j < k. 

Definition 9. A well founded functional is a func- 
tion F from types to types such that 

lF{r)\,^, = lFilr\,)\^^^ 
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for every type r and every index fc > 0. 

Lemma 10. For every well founded functional F 
and every k > we have: 

1. fiF is a type 

2. [^^F\^=[F{^JiF)\^ 

Theorem 11. If F is a well founded functional, 
then ^iF = F{^iF). 

Sec the paper of Appcl and McAUcster [B] for the 
proof sketch. 

5 General recursion 

As mentioned by Appel et al. IH], step-indexed 
types can also be used to simphfy the semantic 
treatment of the fixed point rule to type recursive 
functions in the simply typed A-calculus (without 
recursive types). Using the generalized framework 
presented in section [31 we are able to provide a di- 
rect, semantic soundness proof of the fixed point 
rule, which avoids any use of semantic domains, 
term orders, or monotonocity. 

T \= a : T ^ T 
fix a — > a (fix a) F ^ fixa : r 

Figure 6: General recursion 

We consider the standard fixed point operator 
[llj . written fix a. for the call- by-name lambda cal- 
culus. The small step rule and the new typing 
lemma is shown in Figure [6] The remainder of this 
section is devoted to proving the soundness of the 
semantic typing lemma. 

Lemma 12. If a -.k t ^ t, then (fix a) :fc r. 

Proof. By induction on k. Since a :k t t im- 
plies a :j T ^ T for every j < fc, we also have 
(fix a) :j T for every j < fc by induction hypothe- 
sis, and using Lemma[5]we also have (a (fix a)) -.j r. 
Of course, (fix a) is closed whenever a is closed. 
So assume that there is some irreducible term b 
and some j < k such that (fix a) -^^ b. This im- 
plies j > and (fix a) a (fix a) -^^^^ 6, and since 
(a(fixa)) ij-i T we have (fc — j,b) G r. Hence, we 
conclude (fix a) r. □ 



This leads immediately to the following theorem, 
stating the soundness of the typing lemma for the 
call-by-name fixed point operator as shown in Fig- 
ure E] 

Theorem 13 (General recursion). Let T be a type 
environment, let a be a term, and let t be a type. 
IfT\=a:T^T, then F ^ fixa : r. 

6 Conclusion 

We have presented a step-indexed model for the 
call-by-name lambda calculus, and used it to prove 
the safety of a type system with recursive types. 
We also proved safety of general recursion in our 
framework. 
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